Stored Cross-Site Scripting Vulnerability in MainWP Dashboard
CVE-2016-15041

7.2HIGH

Key Information:

Vendor: MainWP
Status: MainWP Dashboard: WordPress Management Without The Saas
Vendor: CVE Published:; 16 October 2024

Summary

The MainWP Dashboard plugin for WordPress is affected by a Stored Cross-Site Scripting vulnerability that emerges from inadequate input sanitization and output escaping. This flaw involves the 'mwp_setup_purchase_username' parameter, allowing unauthenticated users to inject malicious web scripts. When users access compromised pages, these scripts execute, potentially leading to unauthorized actions and exposure of sensitive information. Users of MainWP Dashboard versions up to 3.1.2 are urged to review and implement appropriate security measures to mitigate risks associated with this vulnerability.

Affected Version(s)

MainWP Dashboard: WordPress Management without the SaaS * < 3.1.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://klikki.fi/adv/mainwp.html

https://www.acunetix.com/vulnerabilities/web/wordpress-pl...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Oct 16, 2024
Vulnerability Reserved
Oct 15, 2024

Credit

Jouko Pynnöne